Hi,
I was hoping to understand how Zeek aggregates packets by connection. Is there any documentation that summarizes the approach? Is there a way to extract all the packets that correspond to a particular connection?
Thank you,
Ananditha Raghunath - 0557
Assistant Staff
Cyber Operations and Analysis Technology
MIT Lincoln Laboratory
ananditha.raghunath@ll.mit.edu | 781-981-9035
Hi,
a bit late, but...
I was hoping to understand how Zeek aggregates packets by connection. Is
there any documentation that summarizes the approach? Is there a way to
extract all the packets that correspond to a particular connection?
I don't think there is much documentation sadly. Basically - Zeek
identifies connections by 5-tuple and passes the packets on to the
TCP/UDP/ICMP protocol parsers for a specific connection. Connections are
timed out after a time amount that depends on the protocol, port, and
phase of connection establishment.
The set_record_packets bif can be used to write the packets of a
connection to a file (however that code has not seen a lot of testing
recently - it should work, but I don't really want to guarantee it).
Johanna